Well, good thing I know when to fold, because the actual answer is much more tactical: "preventing viruses and worms." According to a new Information Security survey, 93 percent of 430 security pros surveyed said malware defense is a "very important" or "important" goal for 2005.

Turns out none of the top three security priorities for 2005 have anything to do with broader security, IT or business strategy. The top priorities are all about the same old ops that have long defined security: controlling malware, including viruses, worms and spyware, and hardening the corporate perimeter against external attacks. Improving compliance is No. 4 on the list, but other strategic activities, like controlling security costs and increasing spending efficiency, are toward the bottom.

We also asked security pros to rate how successful they are in various security activities. No. 1 on the list was (surprise!) defending against viruses and worms—in other words, improving what security pros already do best.

The activities security pros do worst are quantifying security ROI (42 percent said their processes for this are "extinct" or in the "dark ages"), lifecycle risk management and quantifying risk reduction—activities that are at the bottom of 2005's list of priorities.

I'm not downplaying the importance of blocking and tackling. It's human nature to focus on the things you're good at and to ignore or procrastinate things that are hard. But, I'm amazed that security managers (two-thirds of the survey respondents were managers) recognize that they're sacrificing larger strategic im...

Excelling at operational activities, like virus defense, tends to be anesthetizing. You get high on the benefits—increased visibility and the value to the business—which in turn makes it easier to get budget. It's a vicious positive-reinforcement cycle.

Truth is that security is wimping out on the hard stuff. It's one thing to ignore strategic security issues, it's another to acknowledge that you're doing so and not try to adjust.

Business and IT leadership desperately need security to be more than an annoying layer of cost and inconvenience. Blocking and tackling is important, but it's not enough. It's routine, it's expected, it's the baseline from which more strategic activities must build. It's time for security to move on.

Security leadership is having the fortitude to tackle the hard stuff and keep doing it until it's as routine as virus defense. I'm talking about engaging with business owners on their objectives and processes; measuring and communicating the benefits (cost, time, risk) of building security into the front end of projects; motivating rather than mandating changes in security policy and awareness; and quantifying security's contribution to compliance efforts.

That's the real value of security, not counting the number of averted macro viruses.

Changes at Information Security
After nearly five years at the magazine, Lawrence Walsh has left Information Security. We're sorry to see him go, but we wish him well in his new endeavors. I am pleased to announce that Jon Panker has been appointed editorial director of the TechTarget Security Media Group, which includes Information Security and SearchSecurity.com. Jon will also be heading up the program for Information Security Decisions, our semiannual conference.